Release Notes for ASA CX and Cisco Prime Security Manager 9.1

Published: November 30, 2012

Last Updated: December 19, 2014

Caution For ASA Version 9.3(2), 9.2(3), 9.1(5.21) and later, only ASA CX Version 9.3(2.1) and later is supported. When upgrading your ASA, first upgrade the ASA CX software; otherwise the ASA CX module will become unresponsive.

Introduction

CX and Cisco Prime Security Manager (PRSM, pronounced “prism”) are closely related. They share the same user interface, so that your experience in directly managing a CX device is easy to translate into managing multiple devices in Cisco Prime Security Manager.

Thus, these release notes and the product documentation cover both the CX platform and the Cisco Prime Security Manager device management software, as well as ASA device configuration to the extent that you can configure the ASA in PRSM. When reading the release notes and the product documentation, keep the following in mind:

PRSM Multiple Device mode refers to the multi-device management application, which you can use to manage more than one CX device and ASA devices. Where a feature applies to this platform only, we explicitly state that it is for Multiple Device mode.

ASA CX (or CX) only, Single Device mode, or PRSM Single Device mode refers to the management application that is hosted on the CX device itself. You can use this application to configure that single device only. Thus, functions that relate to managing multiple devices, such as the device inventory, do not appear.

Supported Versions of Related Software

CX and PRSM can interact with other applications in your network. The following table lists the applications and the minimum versions required.

Applications that Support Integration with PRSM

You can share information between Cisco Prime Security Manager and some other applications. The following table lists the supported applications and the type of integration available.

If supported, Cisco Prime Security Manager allows you to configure a single-sign-on (SSO) relationship between PRSM and other applications. An SSO relationship allows you to log into the other application, then directly access PRSM from within that application without needing to log into PRSM. Your username/password for the other application suffices for PRSM authentication.

Use the following steps to configure this relationship:

1. Create an SSO directory realm in PRSM.

2. Add users defined in the SSO directory to PRSM.

See the documentation for these products for information on their SSO server and PRSM cross-launch access points.

Table 2 Applications that support integration with PRSM 9.1(2)

Application

Feature Notes

None supported at this time.

Devices You Can Add without an ASA

The Add Device wizard includes a link to add a device when you do not have an ASA. At this time, we do not support adding any devices through this link.

Interface Role Support

Currently, you cannot use the interface role object with any devices. Any roles that you configure and use will be ignored when committing policies.

Heartbleed Bug

The Heartbleed bug (CVE-2014-0160) is an OpenSSL vulnerability that uses invalid TLS heartbeats to gain inappropriate access to data on a device. ASA CX 9.1.x and PRSM 9.1.x are not vulnerable to the heartbleed bug. However, CX devices do not prevent invalid heartbeats from passing through the device as traffic between other endpoints. Ensure that you patch your vulnerable endpoints with the required fixes.

You can learn more about this bug at heartbleed.com or other resources on the Internet.

New Features in 9.1(3) Build 8

Released: October 29, 2013

The following features are new in 9.1(3):

New decryption settings that let you relax decryption processing requirements, so that you can ignore untrusted certificates or TLS handshake failures and allow those transactions without decryption. Options are under the heading Deny Transactions to Servers, and are Using an Untrusted Certificate: On/Off and If the Secure Sessions Handshake Fails: On/Off.

URL category and web reputation are now available for TLS/SSL traffic even if you do not enable decryption. Access policies that use URL filtering or web reputation filtering will now apply correctly to undecrypted TLS/SSL connections. Note that this change is not reflected in the user documentation for this release. The feature is also not available in 9.2(1.1).

New Features in 9.1(2) Build 21

New Features in 9.1(2) Build 11

Released: March 7, 2013

The following features are new in 9.1(2) in addition to bug fixes:

The Dashboard > Threats report has been revamped and changed to Dashboard > Malicious Traffic. The new report shows more detail about web-reputation-based malware threats. The old Applications with Malicious Transactions dashboard is now one of the five dashboards available from the new Malicious Traffic dashboard. New dashboards include Threat Types, Users with Malicious Transactions, Web Categories with Malicious Transactions, and Web Destinations with Malicious Transactions.

You can now generate PDF reports from the dashboards. There are three types of report: administrative, application and web URL analysis, and user and device analysis.

You can now create customized end user notification pages, which are presented to users making HTTP requests that your access policies deny.

There is a new logging option for data plane syslog.

You can now configure ASA CX in monitor-only mode when running with ASA Software 9.1(2). In this mode, ASA CX sees a copy of network traffic. Use this mode if you simply want to see how ASA CX classifies the traffic prior to implementing policies. Do not use it as a normal operational mode.

New CLI commands:

– clear opdata summary

– show services status all

New Features in 9.1(1) Build 17

Released: May 8, 2013

Note These changes are not available in 9.1(2) Build 11 or 21 except as noted.

To obtain the upgrade package, click the Download Software link from the following pages on Cisco.com and select the appropriate System Software package. There are separate packages for each system type.

Documentation Updates

The following are updates for the published documentation for this release.

Obtaining and Installing the 3DES/AES (K9) License for Strong Encryption

A 3DES/AES license, otherwise known as a K9 license, is required for strong encryption. If you do not have a K9 license, decryption processing with a server that requires strong encryption will fail. Any flow that requires decryption that the device cannot perform will be denied regardless of access policies. Although the K9 license is free, its availability is limited by export restrictions.

If you cannot use a K9 license, you should test decryption processing in a controlled environment to ensure that it satisfies your requirements before enabling decryption in your production network. Without a K9 license, your decryption policies will require careful testing and fine-tuning to ensure that desirable traffic is not blocked.

Procedure

Step 1 Obtain the serial number (SN) of your ASA CX device. You can obtain this number using the following techniques:

If you are managing the device in PRSM, the device inventory page shows the serial number. Select Device > Devices to see the inventory.

If ASA CX is already operational, you can log into the CLI and use the show platform hardware info command; the PCB SN is the number you need.

If the ASA CX hardware module is installed in an ASA 5585-X appliance, you can get the number through the ASA CLI using the show module 1 details command.

If the ASA CX software module is installed in an ASA 5500-X series appliance, the ASA CX and the ASA share the same serial number. Use the show version command from the ASA CLI to get the number. If ASA CX is operational, you can also use the show module cxsc details command from the ASA CLI.

Step 2 Go to http://www.cisco.com/go/license and obtain a new K9 Crypto license. Select Get New > IPS, Crypto, or Other License, and select Cisco ASA CX 3DES/AES License under Security Products. Follow the wizard instructions to obtain the license. (Note that this procedure might have changed since the publication of this document.)

Step 3 In the ASA CX/PRSM web interface, select Administration > Licenses, then I want to > Upload license file, to upload the K9 license. The license is tied to the SN, so as long as the SN for the license matches the device, it is applied immediately. In Multiple Device mode, the device must already be in the inventory.

Related Documentation

The product’s web interface includes online help that explains how to use the web interface and the command line interface (CLI). You can also find documents on Cisco.com using Finding ASA CX and Cisco Prime Security Manager Documentation at:

For changes to the Application Visibility and Control (AVC) signatures, you can look at Release Notes for Application Visibility and Control Signatures, Release 1.1.0.x at the following URL. Although these notes are written for the Cisco Web Security Appliance (WSA) product, these products use the same AVC signatures, so the facts about signature changes also apply to PRSM and CX. Note that these notes refer to behaviors as “granular controls.”

Reading the Documentation on your Smart Phone or Tablet

The CX/PRSM user guide, PRSM installation guide, and CX/PRSM command reference are available in ePub format. The other documents are not available in ePub format.

You can download these guides to your smart phone or tablet and read them using an ePub reader, such as iBooks, Bluefire, NeoSoar, and so forth. There are many readers, both free and paid, that you can download from the app stores for iOS and Android devices.

These documents are available from the following locations:

Cisco Tech Docs application —You can download this free app from the Apple App Store or the Android store. In the app, look for the documents under “ASA Next-Gen Firewall Services.” This app will link to the documents for the most current release.

Open m.cisco.com in your browser —You can find the documents at Technical Documentation > Security > ASA Next-Generation Firewall Services. This site will link to documents for the most current release.

Open the links mentioned in Finding ASA CX and Cisco Prime Security Manager Documentation —You can download the ePub version of these documents from their home pages. You can find the documentation roadmap with the URLs at:

Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.